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ABSTRACT 

We argue that emergent behavior is inherent to cybersecurity. 

Categories and Subject Descriptors 

D.4.6 [Security and Protection] 

General Terms 

Security, Theory 

Keywords 

Emergent behavior, cybersecurity, security properties 

1. INTRODUCTION 

The human-created cyberspace is a very large-scale complex sys¬ 
tem of cybersystems. Its security properties are difficult to under¬ 
stand and characterize. We attribute this difficulty to its complex¬ 
ity, a manifestation of which is the so-called emergent behavior 
in Complexity Science j6}. Although there is no universally ac¬ 
cepted definition of emergent behavior QTj, the basic idea is intu¬ 
itive. The simplest example of emergent behavior may be the well 
known “1 + 1 > 2" effect. For our purpose, it is sufficient to use 
the following informal definition of emergent behavior in cyberse¬ 
curity domain. 

DEFINITION 1. A security property of a cybersystem exhibits 
emergent behavior if the property is not possessed by the underly¬ 
ing lower-level components of the cybersystem. 

A direct consequence of emergent behavior is that at least some 
security properties cannot be understood by solely considering the 
lower-level components; instead, we must explicitly consider the 
interactions between the lower-level components. Although emer¬ 
gent behavior of cybersystems has been discussed from a function 
or constructional perspective flOUT) . emergent behavior in cyber¬ 
security is not systematically examined until now. 
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2. EMERGENT BEHAVIOR 

We demonstrate emergent behavior in cybersecurity through three 
examples. 

Example 1: Emergent behavior exhibited by cybersecurity dy¬ 
namics. We refer to ED for an exposition of the emerging field of 
cybersecurity dynamics. In order to explain how emergent behav¬ 
ior is exhibited by cybersecurity dynamics, we consider the perhaps 
simplest model 0 . For our purpose, it suffices to consider two 
cybersystems that respectively induce attack-defense structures (or 
graphs) Gi = (Vi, Ei), where Vi is the node (vertex) set and Ei 
is the edge set for * = 1 , 2 . Let Ai(G) denote the largest eigen¬ 
value of the adjacency matrix of a graph G, p denote the defense 
capability in detecting and cleaning compromised nodes (e.g., the 
probability that a compromised node gets cleaned at a time step), 
and 7 denote the attack capability in compromising secure nodes 
(e.g., the probability that this event occurs over an edge at a time 
step). For simplicity, suppose Gi is a complete graph with m 
nodes for i = 1 , 2 . It is well known that Ai(Gi) =. m — 1 and 
Ai(G 2 ) = «2 — 1 . For i — 1 , 2 , if Ai(G;) < /S/7, the attacks 
will eventually be wiped out in the cybersystem that induces Gi ; if 
Ai (Gf) > (8/7, the attacks cannot be wiped out ( 4 ). 

Now we consider a new cybersystem that is obtained by inter¬ 
connecting the aforementioned two cybersystems that induced Gi 
and G2. Consider the simplest case that any node can attack any 
other node in the interconnected cybersystem, which effectively in¬ 
duces attack-defense structure, a complete graph, Gi, 2 with ni+ri2 
nodes and Ai (G72) = m + ri2 — 1 . In many (if not all) cases, the 
defense capability j 3 ' and the attack capability 7' associated to Gi, 2 
are respectively the same as the defense capability P and the attack 
capability 7 associated to Gi and G2. Since Ai (Gi) < P/y for 
i = 1,2 do not imply Ai(Gi,2) < P'/')' = P/'y, we conclude 
that the attacks can be wiped out in the two underlying compo¬ 
nent cybersystems, but cannot be wiped out in the interconnected 
cybersystem as long as Ai(Gi,2) > P/ 7. This phenomenon can 
be naturally extended to more sophisticated settings (e.g., EHm 
mum). This implies that cybersecurity dynamics cannot be de¬ 
termined by looking at the component cybersystems alone. Rather, 
we need to look into how the component cybersystems interact with 
each other. 

Example 2: Emergent behavior exhibited by security proper¬ 
ties in the extended trace-property framework. In the field of 
program verification, it was known that specifications that are suf¬ 
ficient for sequential programs are not sufficient for concurrent pro¬ 
grams. For dealing with concurrent programs, Lamport proposed 
the safety-liveness framework of trace properties GU. Intuitively, 
a trace is a finite or infinite sequence of states corresponding to an 
execution of a program. A trace property is a set of traces such 


that every trace, in isolation, satisfies the same predicate. A safety 
property says that no “bad thing" happens during the course of a 
program execution, while a liveness property says that “good thing" 
will eventually happen during the course of a program execution. 
Both safety and liveness are trace properties. A beautiful result is 
that every trace property is the intersection of a safety property and 
a liveness property am 

Given the above history, it is appealing to specify a cybersystem 
as a set of traces, and therefore as a subset of a security property 
that is also specified as a set of traces. Unfortunately, security prop¬ 
erties are not trace properties as shown in mumm and refreshed 
below. First, noninterference is a security property that captures the 
intuition that system security is preserved as long as high-clearance 
(or high-privilege) processes cannot influence the behavior of low- 
clearance (low-privilege) processes. It is no trace property because 
it cannot be verified without examining the other traces. Second, 
information-flow captures some kind of correlation between the 
values of variables in multiple traces. It is no trace property be¬ 
cause it cannot be verified by examining each trace alone. Third, 
average service response time is an availability property. It is no 
trace property because it depends on the response time in all traces. 

In an effort to overcome the above limitation of the safety-liveness 
framework, Clarkson and Schenider extended the notion of trace 
properties to the notion of trace hyperproperties 0. Basically, hy¬ 
perproperties are sets of trace properties. In parallel to the safety- 
liveness framework, a hyperproperty is also the intersection of a 
safety hyperproperty and a liveness hyperproperty. It is now known 
that information-flow, integrity and availability can be hypersafety 
or hyperliveness 0. Exactly because hyperproperties capture that 
the verification procedure must examine across multiple traces, which 
may accommodate interactions between the component systems, 
we say that hyperproperties exhibit the emergent behavior. This 
means that we need to study the emergent behavior in cybersecu¬ 
rity, which may explain why it took so long to realize the impor¬ 
tance of hyperproperties. 

Example 3: Emergent behavior exhibited by cryptographic se¬ 
curity properties. Cryptographic secure multiparty computation 
allows multiple parties Pi,..., Pm, each having a respective secret 
xi,..., x m , to compute a function f(x i, ..., x m ) such that no in¬ 
formation about the xfs is leaked except for what is implied by the 
output of the function. This manifests a confidentiality property. A 
beautiful feasibility result is that any polynomial-time computable 
function /(•, ...,•) can be securely computed |20| [9t, as long as the 
protocol executes in isolation (the stand-alone setting) and trapdoor 
permutations exist. When such cryptographic protocols are used as 
building-blocks in larger applications/systems, they may execute 
concurrently (rather than in isolation). This leads to a natural ques¬ 
tion: Are the cryptographic protocols, which are provably secure 
when executed in isolation, still secure when they are concurrently 
called by larger applications/systems? Intuitively, concurrent exe¬ 
cutions offer the attacker the leverage (for example) to schedule the 
messages in a way that is to the attacker’s advantage, which does 
not have a counterpart in the stand-alone setting. 

Quite similar to what happened in the field of program verifica¬ 
tion, where specific properties (e.g., partial correctness and mutual 
exclusion) were investigated before the introduction of the unifying 
safety-liveness framework CD, the same kind of development was 
made in the field of cryptographic protocols. That is, specific cryp¬ 
tographic security properties were investigated before the introduc¬ 
tion of the unifying notion called universal composability 0, or 
its equivalent (but perhaps more intuitive) version called concur¬ 
rent general composition (arbitrarily many instances run possibly 
together with arbitrary other protocols) 03- It is now known that 


there are cryptographic multiparty computation protocols, which 
are provably secure when executed in isolation, but are not secure 
when they are concurrently called by larger applications/systems. 
For example, there exist classes of functions that cannot be com¬ 
puted in the universally composably secure fashion 0. In other 
words, these functions can be securely computed by running some 
cryptographic protocols in isolation, but cannot be securely com¬ 
puted when the protocols execute concurrently. In order to make 
cryptographic multiparty computation protocols secure when they 
are used as building-blocks for constructing larger cybersystems, 
we need to make extra assumptions, such as that majority of the 
parties Pi,..., P m are not compromised 0. This manifests emer¬ 
gent behavior. (It is interesting to note that whether or not it is 
reasonable to assume that majority of the parties are not compro¬ 
mised may be addressed by the cybersecurity dynamics framework 
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